Use EmpowerID API Authorization Service to secure Azure App Services

You can use the EmpowerID API Authorization Service to secure your Azure App Services.

How to secure Azure App Services

1. In Azure, locate the App Service you want to protect with the Azure API Management Service.

2. Follow Microsoft’s documentation to import or create your APIs in the Azure Management Service.

3. Create or import your APIs in EmpowerID by following the steps outlined here.

4. From Azure API Management Service, select the Named values option.

5. Click Add to open the Add named value window enter the following information:

   • Name — Enter AuthorizationServiceUrl. (This named value with be used in the inbound processing policy.)

   • Display Name — Enter AuthorizationServiceUrl.

   • Value — Enter the full URL to the EmpowerID Authorization Service. The URL should be https://hostname/oauth/v2/gateway/authorize, where hostname is the name or your EmpowerID server.

6. Save the named value and close the Add named value window.

7. Under APIs, select APIs > The name of the AIPs you want to protect > All Operations and click the Inbound processing policy code editor.

8. In the policy editor, underneath the <set-backend-service> tag, add the policy to the Inbound processing policy and make changes as need.
   
   The below policy will cache tokens for up to five minutes and return a 403 error for failed authorizations.
   
   

   <!-- Ensure that request header has required information--> <choose> <when condition="@(!context.Request.Headers.ContainsKey("Authorization") || !context.Request.Headers.ContainsKey("client_id") || !context.Request.Headers.ContainsKey("scope"))"> <return-response> <set-status code="401" reason="Unauthorized" /> <set-header name="WWW-Authenticate" exists-action="append"> <value>@("Bearer realm="+context.Request.OriginalUrl.Host)</value> </set-header> </return-response> </when> </choose> <!-- Check the cache if current API has been authorized previously--> <cache-lookup-value key="@(context.Request.Headers.GetValueOrDefault("Authorization")+context.Request.OriginalUrl.ToString())" variable-name="status" /> <cache-lookup-value key="@(context.Request.Headers.GetValueOrDefault("Authorization")+context.Request.OriginalUrl.ToString()+"accesstoken")" variable-name="accesstoken" /> <choose> <!-- If not previously authorized, contact EmpowerID for authorization--> <when condition="@(!context.Variables.ContainsKey("status") || !context.Variables.ContainsKey("accesstoken"))"> <!—Authorize an incoming request--> <send-request mode="new" response-variable-name="response" timeout="120" ignore-error="false"> <!-- Set the EID authorization service endpoint and forward relevant data from the original request to the authorization service. The authorization service is only interested in the client ID, scope, and the authorization header info--> <set-url>{{AuthorizationServiceUrl}}</set-url> <set-method>GET</set-method> <set-header name="Authorization" exists-action="override"> <value>@(context.Request.Headers.GetValueOrDefault("Authorization"))</value> </set-header> <set-header name="client_id" exists-action="override"> <value>@(context.Request.Headers.GetValueOrDefault("client_id"))</value> </set-header> <set-header name="url" exists-action="override"> <value>@(context.Request.OriginalUrl.ToString())</value> </set-header> <set-header name="scope" exists-action="override"> <value>@(context.Request.Headers.GetValueOrDefault("scope"))</value> </set-header> </send-request> <!-- Extract response body and collect authorized token and authorization result--> <set-variable name="responsebody" value="@(((IResponse)context.Variables["response"]).Body.As<JObject>())" /> <set-variable name="accesstoken" value="@(((JObject)context.Variables["responsebody"])["access_token"].ToString())" /> <set-variable name="status" value="@(((JObject)context.Variables["responsebody"])["status"].ToString())" /> <!-- Cache authorization result and EmpowerID’s Authorized Token for 5 minutes --> <cache-store-value key="@(context.Request.Headers.GetValueOrDefault("Authorization")+context.Request.OriginalUrl.ToString())" value="@((string)context.Variables["status"])" duration="300" /> <cache-store-value key="@(context.Request.Headers.GetValueOrDefault("Authorization")+context.Request.OriginalUrl.ToString()+"accesstoken")" value="@((string)context.Variables["accesstoken"])" duration="300" /> </when> </choose> <!—Authorize or deny the request--> <choose> <when condition="@((string)context.Variables["status"] != "200")"> <return-response> <set-status code="403" reason="Forbidden" /> </return-response> </when> </choose> <!—Forward the EmpowerID Authorized Token to the backend --> <choose> <when condition="@((string)context.Variables["status"] == "200")"> <set-header name="AuthorizedToken" exists-action="override"> <value>@((string)context.Variables["accesstoken"])</value> </set-header> </when> </choose>

    

9. Disable the default public URL to the App service after configuring the Azure API Management Service. All requests should go through the API Management Service to ensure complete security.